The Follina vulnerability in Microsoft Office is still being exploited by criminals a month after the company released a supposedly fixed patch. Microsoft appeared to be taking further action as part of yesterday’s Patch Tuesday security update, but the vulnerability is likely to continue to be exploited by hackers, particularly government-sponsored groups.
Follina, a vulnerability in the MSDT protocol tool used by Office, was first revealed in April and gives criminals who exploit it the ability to execute arbitrary code on an infected system, meaning it can be used to exploit the Taking control of these systems and spreading malware. “An attacker who successfully exploited this vulnerability could execute arbitrary code with the privileges of the calling application,” according to a post in Microsoft’s Security Response Center (MSRC). “The attacker can then install programs, view, change or delete data, or create new accounts in the context permitted by the user’s privileges.”
Microsoft waited two months to take action against Follina and released a patch as part of Patch Tuesday in June. But while this combats the way criminals can access systems, it does nothing to stop malicious code from running in Office. So said analyst Kevin Beaumont, who coined the Follina name “By not addressing how MS Protocol loads in Word templates and Outlook, the attack surface remains large, which means this issue will recur.”
Following this month’s Patch Tuesday, Beaumont reported on Twitter that the updates Microsoft released appear to be a step in the right direction.
The Follina vulnerability continues to be exploited
Regardless of the effectiveness of the patch, the sheer number of Office 365 users poses a problem in combating Follina. Microsoft’s latest quarterly results showed that there were 345 million paid commercial Office 365 users.
Bharat Mistry, technical director for the UK and Ireland and Trend Micro, says that alone means all systems are unlikely to be patched against the problem. “The community that uses Microsoft Office is huge, almost everyone uses it,” he says. “How fast can people even patch?”
Content from our partners
Last week, security firm Fortinet reported that attackers used the Follina flaw to deploy Rozena malware via a link to gaming chat platform Discord. The malware opens a backdoor to infected systems. Ukrainian media organizations have also been targeted by Russian hackers who have been exploiting the vulnerability since the first patch was released.
Mistry believes Follina’s far-reaching effects mean many other hacker gangs could try to exploit it. “I wouldn’t be surprised if government-sponsored groups used it to gather information for espionage purposes,” he says.